ak0900 enterprise risk management...another critical component of ih’s erm program is its policy...
TRANSCRIPT
Administrative Policy Manual
Code: AK Quality/Risk Management
AK0900 – ENTERPRISE RISK MANAGEMENT
Policy Sponsor: VP Support Services & Chief Financial Officer 1 of 2
Policy Steward: Corporate Director, Privacy, Policy & Risk Management
Date Approved: March 2020 Date(s) Reviewed-r/Revised-R:
This is an Interior Health CONTROLLED document. A copy of this document in paper form is not controlled and should be checked against the electronic file version to ensure accuracy
1.0 PURPOSE
To establish and maintain an effective and efficient organization-wide Enterprise Risk Management Framework to support Interior Health (IH) in achieving its Mission.
To provide direction on the requirements and responsibilities to integrate and apply the ERM Framework within all IH operations.
2.0 DEFINITIONS
TERM DEFINITION
Enterprise Risk Management or
ERM
A continuous, systematic and proactive approach to support an organization in achieving its objectives by considering the Risks at all levels in the organization and then managing the combined impact of those Risks.
Framework Interior Health Enterprise Risk Management Framework: Principles, Governance & Process (Appendix A)
Risk
Anything that adversely affects the achievement of objectives measured in terms of its likelihood of occurrence and the consequences of its occurrence.
3.0 POLICY
IH will actively and systematically promote and instill ERM principles and processes in all
planning and decision-making activities and will ensure relevant and appropriate tools, support and training are available.
The risk management office (RMO), under the direction of the Vice President, Support Services & Chief Financial Officer and the Strategy and Risk Management Committee (SRMC), will provide leadership and guidance for ERM.
4.0 PROCEDURE
4.1 This policy applies to all IH employees and medical staff. 4.2 All IH employees and medical staff are responsible for recognizing the potential risks within
the scope of their own work and expected to work with management and the RMO to document the risk and to establish appropriate processes and risk mitigation activities to address the risk.
Administrative Policy Manual
Code: AK Quality/Risk Management
AK0900 – ENTERPRISE RISK MANAGEMENT
Policy Sponsor: VP Support Services & Chief Financial Officer 2 of 2
Policy Steward: Corporate Director, Privacy, Policy & Risk Management
Date Approved: March 2020 Date(s) Reviewed-r/Revised-R:
This is an Interior Health CONTROLLED document. A copy of this document in paper form is not controlled and should be checked against the electronic file version to ensure accuracy
4.3 The Framework sets out IH’s organization-wide approach to ERM and describes the
principles of the ERM program including the process and tools for identifying, assessing, mitigating and reporting on enterprise-wide Risks. The Framework also confirms the commitment to regularly improve the ERM program.
5.0 REFERENCES
IH Board of Director Manual s 3.11
International Organization for Standardization Standard (ISO Standard) ISO 31000:2018 Risk Management Guidelines.
Province of British Columbia’s Risk Management Guideline for the Public Sector.
Administrative Policy Manual
Code: AK Quality/Risk Management
AK0900 – ENTERPRISE RISK MANAGEMENT
This is an Interior Health CONTROLLED document. A copy of this document in paper form is not controlled and should be checked against the electronic file version to ensure accuracy
Appendix A
Interior Health Enterprise Risk Management Framework
Principles, Governance & Process
March 2020
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
1
TABLE OF CONTENTS
ITEM Page
1.0 Overview …………………………………………………………………………….. 2
2.0 Principles …………………………………………………………………………….. 3
3.0 Governance …………………………………………………………………………
3.1 Alignment with Other Processes
3.2 ERM Guided by Policy
3.3 Roles and Responsibilities
3.4 Key Activities
3.5 Continuous Improvement
4
5
6
7
9
10
4.0 Process ………………………………………………………………………………..
4.1 Key Features
4.2 Detailed ERM Process
11
11
12
Appendices
A. Risk Register Template
B. Risk Assessment Matrix
13
14
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
2
Purpose This framework document (Framework) describes Interior Health’s (IH) approach to managing
risk across the organization through a structured risk management program to assist IH in
achieving its Mission. The Framework applies to all employees and medical staff.
1.0 Overview IH operates in a dynamic and complex environment that faces
many areas of risk and uncertainty. The term “risk” describes the
possibility that events will occur and either positively or
negatively affect IH.
The term Enterprise Risk Management (ERM) describes a
continuous, coordinated and proactive approach to manage and
respond to risk across all parts of the organization, at all levels,
from planning to service delivery.
IH’s ERM program follows the internationally recognized
principles and standards set out by the International
Organization for Standardization (ISO) and the Province of British
Columbia’s Risk Management Guideline for the Public Sector. IH’s
ERM program does not operate in isolation and aligns with other
IH-wide processes.
This Framework describes the three components of IH’s ERM
program: the principles for managing risk; the governance of the
program and the process for identifying, assessing, monitoring
and reporting risk information.
“. . . hospitals and other
healthcare systems are
expanding their risk
management programs
from ones that are
primarily reactive and
promote patient safety
and prevent legal
exposure, to ones that
are increasingly
proactive and view risk
through the much
broader lens of the
entire healthcare
ecosystem.”
Source: “What is Risk Management in Healthcare”, NEJM Group, a division of the Massachusetts Medical Society.
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
3
2.0 PRINCIPLES Every person at IH acts as a risk manager responsible for identifying and managing risks that may
prevent IH from achieving its Mission. The following principles are the foundation for IH’s ERM
program: (Source: ISO 31000:2018 Risk Management - Guidelines)
IH’s Risk Management Office (RMO) continually evaluates the ERM program to ensure it
continues to reflect these principles and recommends adjustments if portions of the program no
longer add value and should be discontinued or redesigned based on IH’s organizational culture
and context.
•Create and protect value by identifying and managing internal and external factors that may affect its Mission.
Creates Value
•Integrate ERM within the organization's other planning activities & processes.
Integral Part of Organizational Processes
•Helps decision-makers make informed choices, prioritize and distinguish among alternative courses of action.
Part Of Decision Making
•Explicitly account for uncertainty, the nature of that uncertainty and how to address uncertainty.
Explicitly Addresses Uncertainty
•A consistent and structured approach contributes to efficiency and to comparable and reliable results.
Systematic, Structured & Timely
•Obtain the best available information in order to have a correct understanding of any risk.
Based on Best Available Information
•Adjust the ERM process to align with IH's needs.Tailored
•Recognize that human and cultural characteristics influence a stakeholder's view.
Accounts For Human & Cultural Factors
•Appropriate and timely involvement of stakeholders ensures ERM remains relevant and up-to-date.
Transparent & inclusive
•Continually sense and respond to change resulting from external and internal events.
Dynamic, Iterative & Responsive to Change
•Develop and implement strategies to improve ERM maturity alongside all other aspects of the organization.
Continual Improvement
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
4
3.0 GOVERNANCE
The design and structure of IH’s ERM program takes into consideration its culture, context, any
legal and regulatory requirements and, most importantly, its obligations to clients, employees,
patients and partners. The effectiveness of the ERM program depends on successfully
embedding it into the decision-making process for all IH activities. Integrating considerations of
risk helps ensure IH stakeholders account for risks and the activities in place to manage those
risks when planning operations and activities to help achieve IH’s Mission. This integration of risk
approach helps overcome the perception that risk management is the subject of an isolated
exercise concerned only with compiling and managing a list of risks.
Governance of the ERM program includes:
aligning the program with other organization-wide processes;
implementing ERM principles via an organization-wide policy;
establishing a governance structure with clearly defined roles and responsibilities;
outlining the program’s key activities; and
continuing to improve the program.
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
5
3.1 Alignment with Other IH Processes One of the Board’s risk management mandates is to ensure that management has systems and
programs in place to manage principal financial and non-financial risks (Board Risk Management
Policy Section 1.5). The ERM program is one of the many organization-wide processes that occurs
regularly as shown in the IH Annual Planning Cycle below. (Source: Courtesy of IH Health Systems Planning
Department).
Review & Refresh ERM risk registers with Risk Owners
Portfolio Work Plans and ERM risk
registers inform BMP
SRMC & SET reviews Key Risk
Apr
Mayy
June
Sept
**Aug
July
** Dec
Nov
Oct
Implement (Implement)
(Q1)
Begin Scan
(Evaluate / Assess) (Q2)
Planning (Assess / Plan)
(Q3)
Finalize, adopt plans
(Plan) (Q4)
Mar
Febb
Jan
SET Strategy Day
Annual Service Plan Report to MOH*
Portfolio Work Plans (Oct – Dec)
MOH Budget MOH Service Plan
Draft Mandate Letter and Bilateral
Agreement Prelim. Funding Letter
Internal consultations
EPM Objectives
Draft IH Service Plan & Detailed Plan
SET Strategic Working Day
Q4 Update*
Service Plan to MOH ERM Report to
Board
Launch planning process
Environmental Scan
(Including ERM)
Review & Refresh ERM risk registers with Risk Owners
SRMC & SET review Key Risks
Portfolio Workplans and ERM Risk
Register Inform BMP
** ERM risk register informs and is informed by, Portfolio Workplans and Environmental. Scans.
LEGEND
BMP: Budget Management Process EPM: Employee Performance Management ERM: Enterprise Risk Management MOH: Ministry of Health
SET: Senior Executive Team * From previous fiscal year
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
6
3.2 ERM Guided by Policy Another critical component of IH’s ERM program is its policy document. IH’s ERM Policy, AK0900
– Enterprise Risk Management sets forth a common approach to addressing risk to support
achieving its Mission. The benefits of the policy include:
Advancing the objective of integrating Enterprise-Wide Risk Management into IH
operations.
Establishing clearly defined, documented risk management processes connected to other
enterprise-wide processes.
Providing IH employees and medical staff easier access and reference to the ERM
processes via the Insidenet Policy page.
Ensuring the policy receives periodic review (every 3 years per the IH Policy Development
Guide).
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
7
3.3 Roles & Responsibilities An effective ERM program requires clearly defined roles and responsibilities. The major
stakeholders for the ERM program include the Board of Directors, the Senior Executive Team,
Internal Audit, the Strategy and Risk Management Committee, Vice President Leadership Teams
and all IH employees and medical staff. Responsibility for the ERM program lies across the
organization. The specific responsibilities of each stakeholder are set out below.
Board of Directors (Board)
Provide overall oversight of the ERM program, delegating to Board Committees all or
certain oversight responsibilities as required.
Determine strategic approach to risk & set risk appetite.
Understand the most significant/key risks.
Monitor activity, through receiving reports, in order to support management with budgets
and decision making to manage risks properly and to advocate within the community and the
Ministry for other resources to manage identified risks.
Senior Executive Team (SET)
Determine & provide resources to implement and maintain the ERM program.
Review significant/key risks.
Define the roles of management and management committees.
Monitor the operation of the ERM program and provide the Board with an annual update
that includes: (i) identifying key risks and mitigation activities; (ii) changes to previously
identified key risks and mitigation activities and (iii) recommend any changes in policy or
process needed to achieve the overall objectives of the ERM program.
Internal Audit
As part of its mandate to audit current and developing control systems, gather
information on all aspects of the ERM and how it is functioning across the organization.
Provide the President and Chief Executive Officer, the SET and the Board with an
independent assessment of the strengths and weaknesses of the ERM program and
advise on where changes in either policy or process may be desirable.
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
8
Strategy & Risk Management Committee (SRMC)
Perform the Risk Committee function for the ERM program.
Review the appropriateness of items on the enterprise risk register, monitor risk
mitigation plans and their effectiveness and recommend additions/deletions of risk items.
Assign risk owners for significant/key risks.
Review key risks and ensure mitigation responses are consistent with the risk appetite.
Recommends additions and deletions of key risks to SET.
Report monthly risk alerts to SET.
VP Leadership Teams (VPLT)
Identify, assess, monitor and report on risk events in their areas of responsibility.
Monitor and report changes to existing risk events & risk mitigations.
Risk Owner (Senior IH leaders with knowledge of the key risks)
Oversee risk mitigation activities including updating the status and completion of the
activities.
Coordinates efforts with other IH employees and medical staff to complete risk mitigation
activities.
Communicate the status of risk mitigation activities to SRMC.
Risk Management Office (RMO)
Educate stakeholders on ERM.
Develop, monitor and revise the administrative procedures for the ERM program.
Liaise/coordinate with risk owners to obtain enterprise-wide view of risks.
Prepare updates, at least once per year, to the Board on risk management activities as
well as updates if any significant risk changes or issues arise.
Review the ERM program and recommend changes as appropriate.
Employees and Medical Staff
Apply risk management within the scope of their duties and responsibilities.
Report risks with causes, impacts, or mitigations beyond their scope of responsibility or available resources to their manager.
Integrate sound risk management planning and process into their business processes.
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
9
3.4 Key Activities A clearly understood ERM program requires consistent, recurring activities as well as a regular
reporting schedule to ensure all stakeholders are aware of enterprise-wide risks. IH
management is committed to the following recurring activities relating to the ERM program:
The value of an organization’s ERM program also lies in conducting regular, proactive monitoring
and environmental scans to capture internal and external events that may affect its ability to
achieve its Mission. Proactive activities relating to IH’s ERM program include:
•Review Environmental Scan to identify weaknesses or challenges that pose a risk.
AUGUST
•Review & update risk register with risk owners.
• VP Workplan Process Begins
• Update workplans to include risk mitigation activities where appropriate.
NOVEMBER
• Consider any new risks & remove risks from enterprise risk register that are no longer relevant.
•Refresh enterprise risk register by reviewing the likelihood & consequence rating for each risk.
JANUARY
•Identify Key Enterprise Risks.
• Based on analysis of key risks across all VPLT risk registers.FEBRUARY
• Annual Report to the Board
• Key Risks (Current & Trending) and Risk Mitigation Strategies
JUNE
• Provincial Risk Management Meetings.
•Attendees include all BC health authorities and Provincial healthcare insurer.
•Discuss current & trending healthcare risks
•Report relevant items to SRMC.
BI-MONTHLY
• Assigned risk owners update SRMC on Risk Mitigation Activities of assigned Key Risk Events.
•RMO regularly reviews SRMC agenda items (via briefing notes) for emerging risks to monitor and/or present to SRMC as an enterprise risk event.
MONTHLY
•Meet with VPLTs.
•Discuss status of Risk Events & Risk Mitigation Activities within portfolio risk registers.
QUARTERLY
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
10
3.5 Continuous Improvement The RMO monitors and reviews the ERM program and, in collaboration and consultation with
SRMC and SET, decides on improvements to the program. The objective for continual
improvement is to lead to improvements in IH's management of risk and its risk management
culture.
Various triggers for continuous improvement include:
At minimum every three years and as required, review the ERM policy to ensure it
reflects current ERM best practices.
Yearly review of risk domains and categories to ensure alignment with IH’s Mission and to
reflect changes in the external environment.
Continue looking for opportunities to embed the risk management culture by regularly
reviewing and updating as necessary:
o Reports to stakeholders (form of reports, frequency, etc.).
o Technology to automate the ERM process to support ease of use and increase
engagement.
o Methods to measure risk management progress against, and deviation from, the ERM
principles.
o Report on progress with the ERM program and how well employees are following
the ERM policy.
o Improvements to the ERM Framework.
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
11
4.0 PROCESS IH’s ERM process is an iterative one refreshed annually and as needed, should there be material
changes in IH’s operating or business environment. The figure below describes the four
components and the continuous and iterative nature of the process.
4.1 Key Features
•Identify risks that could prevent IH from achieving its Mission.
IDENTIFY
•Assess the likelihood and consequences of the risks occurring.ASSESS
•Determine and evaluate controls or risk mitigation measures to manage the risks.MANAGE
• Monitor and report on key organization-wide risks and risk mitigation activities.
MONITOR & REPORT
The ERM Process is an iterative and
continuous
4-step process
E n t e r p r i s e R i s k M a n a g e m e n t F r a m e w o r k
12
4.2 Detailed ERM Process Each step of the ERM process requires completing specific actions and recording the results of
these actions in a central, accessible document. A risk register is the central document that
records the information captured during the ERM process (Appendix A). Risks do not remain
static and a risk register is a living document, subject to review at regular intervals. The detailed
actions within each step of the ERM process include:
•Recognize & describe risk events (short to long term & emerging risks).
•Identification techniques: review incident reports (e.g. Patient Safety Learning System events); review risks identified in briefing notes submitted to SRMC.
•Record identified risks in the risk register.
IDENTIFY
•For each identified risk event, determine a risk rating by: (a) determining the likelihood of the risk event occurring: and (b) the consequences resulting from the risk event occurring using the Risk Assessment Matrix (Appendix B). The product (likelihood x consequence) of these two variables is the risk rating.
•Record the risk rating in the risk register.
ASSESS
•Establish and implement risk mitigation activities to:
•Accept the risk event;
•Avoid the risk event by not starting or ceasing activities that cause it;
•Mitigate the consequences or likelihood of the risk event; or
•Transfer all or part of the risk event to another party (e.g. via contracts or insurance).
•List all risk mitigation activities for each identified risk event on the risk register.
MANAGE
•Monitor and regularly report on the risk mitigation activities of each risk event in the risk register.
•Assigned risk owners provide regular updates to SRMC on Risk Mitigation Activities of key risks.
•RMO presents Annual Report to Board on Key Risks (Current & Trending) and Risk Mitigation Activities
MONITOR & REPORT
13
Appendix A: Risk Register (Template)
RISK CATEGORY
RISK EVENT CAUSE RISK
CONTROLS INHERENT RISK RATING
(See Risk Assessment Matrix) RESIDUAL RISK RATING
(See Risk Assessment Matrix)
EFFECTIVENESS OF RISK
CONTROLS RISK TOLERANCE
RISK LEADER
FURTHER ACTION
COMPLETION DATE
Identifies the risk category
most applicable to
the risk event.
What is it that you are
working to avoid or
reduce the likelihood or
impact of occurring? Risks are
future events that could stop
you from achieving IH’s
Mission
What are the triggers, sources or circumstances that,
acting alone or together, increases the likelihood that
the Risk Event occurs? There are
usually multiple causes leading to a
Risk Event.
What are you doing
now or plan to do in the
future to reduce the impact of
the event?
LIKELIHOOD CONSEQUENCE INHERENT
RISK RATING
LIKELIHOOD CONSEQUENCE RESIDUAL
RISK RATING
Controlled, In Progress,
Attention Required
Will you ACCEPT, AVOID, MITIGATE or TRANSER the risk?
14
Appendix B: Risk Assessment Matrix
LIK
ELIH
OO
D
5 Almost Certain
80% - 99% probability occurring next 12 months.
Expected to occur
Low
5
Medium
10
High 15
Extreme
20
Extreme
25
4 Likely
61% - 79% probability occurring next 12 months.
Will occur in most circumstances.
Low
4
Medium
8
High 12
High 16
Extreme
20
3 Possible
40% - 60% probability occurring next 12 months.
It might occur at some time.
Low
3
Medium
6
Medium
9
High 12
High 15
2 Unlikely
11% - 39% probability occurring next 12 months
Low
2
Low
4
Medium
6
Medium
8
Medium
10
1 Almost certain not to happen
0% - 10% probability occurring next 12 months.
Occur only in exceptional circumstances.
Low
1
Low
2
Low
3
Low
4
Low
5
RISK ASSESSMENT MATRIX
1 Insignificant
Minimal impact on achieving Mission.
Outcomes within stated risk tolerances.
Consequences dealt with by routine operations.
Negligible monetary loss.
No community response.
No media interest.
2 Minor
Minor impact on Mission.
Outcomes within stated risk tolerances.
Consequences threaten efficiency or effectiveness of some services.
Monetary loss managed within operating or project budget.
Isolated community complaints.
Local short-term media interest.
3 Moderate
Moderate impact on Mission.
Outcomes may or may not remain within risk tolerances.
Consequences would require significant review or change ways of operating.
Monetary loss may require suspending some services.
Moderate environmental implications.
Some community complaints.
Local long-term media interest.
4 Major
Major impact on Mission.
Consequences threaten effective provision of services.
Senior management intervention required.
Monetary loss would require cancellation of some services.
High environmental implications.
Negative community complaints.
Major loss of credibility.
National short-term media interest.
5 Catastrophic
Catastrophic impact on Mission.
Consequences threaten key services causing major problems for clients.
Monetary loss would have extreme consequences.
Far reaching environmental implications.
Catastrophic loss of reputation.
Parliamentary concerns.
National long-term media interest.
CONSEQUENCE
15
RISK RATING (LIKELIHOOD X CONSEQUENCE)
ACTION REQUIRED
Extreme (20-25)
Mitigate, Transfer or Avoid.
Immediate attention required. Action plan developed by risk owner.
High (12-16)
Mitigate or Transfer.
Action plan for mitigation or transfer developed by risk owner.
Medium (6-10)
Accept or Mitigate.
Action plan for mitigation developed by risk owner.
Low (0-5)
Accept and monitor.
No further action required.